Here is a repost of a piece I wrote for our work blog: http://www.mtibytes.com/post/4-simple-tips-for-bolstering-your-business-security
High-profile breaches continue to dominate the news agenda. Stories of compromises to email systems, retail outlets, Internet auction sites and Apple's iCloud service, show no online service is safe from hackers.
Many of these incidents are the result of accounts being far too easily accessible to hackers. Nowadays, these types of hacks are commonplace, and they will likely increase as social media uptake grows further. The more that users share personal information online, the more insecure security questions will become.
There are several issues associated with security question authentication that all businesses should address, through educating employees, as well as reviewing current security protocols and processes.
1. Avoid simple passwords
Despite repeated warnings from the IT industry, the most commonly used passwords in 2014 were ‘123456’ and ‘password’! With the use of relatively simple passwords, IT security can be compromised within seconds using a dictionary attack.
2. Secret questions aren't so secret
On the surface, a personal security question may seem like a secure way to reset a password. However, what is often overlooked is the huge volume of personal information accessible via the Internet.
Consider, for example, the amount of information that Facebook alone archives about a user’s personal relationships, education, location, employment history and interests. Once a user’s information is out there, there is no way to control, edit or delete it.
A great example of this is the Paris Hilton phone-hacking scandal of 2005. In that case, the T-Mobile Sidekick device had an internet-facing dashboard. To recover their password, users had to answer security questions including what their date-of-birth and pet’s name was. In reality, all of Paris’ security questions could be answered via an Internet search engine!
3. Mix it up
There is always a balance between usability and complexity. We encourage people to use a mixture of upper and lower case letters, special characters and numbers. In reality, this usually results in more password resets, as complex passwords are easier to forget.
4. Be streetwise – does it seem phishy?
Users often receive emails that appear to be from their service provider. The email will stipulate an issue with their account and require an immediate password reset, change or confirmation.
The user will enter their password and be presented with a failed message screen or a confirmation. If the hacker is especially clever, they will synchronise the password with the service provider, so that everything appears normal.
Even with strong and complex passwords, users can still be victims of phishing. To prevent phishing attacks, users should always check the legitimacy of emails before opening them. If it seems fishy (excuse the pun), ignore it or delete it.
Moving beyond security passwords
Security passwords were once a relatively secure concept. That was until the proliferation of digital technologies and social media took full effect. As security solutions become more complex, the methods of authentication will need to follow suit. In the next blog post, we’ll discuss how multi-factor authentication may be the way forward.